20 · Users & access

/admin/users is the login-account directory. Distinct from People (HR records) and CRM contacts (external).

Where to find it

• /admin/users — list, edit
• /admin/users/invite — invite a new user
• /admin/audit — audit log

The user list and invite pages admit ADMIN, SUPER_ADMIN, and MANAGER. The audit log requires ADMIN or SUPER_ADMIN.

Layout

+--------------------------------------------------------------+
| Users                                         [+ Invite user] |
|--------------------------------------------------------------|
| Name   Email             Role    MFA   Status   Last login    |
| Mitch  mitch@kwgroup.uk  ADMIN   ✓ On  Active   18/05/26      |
| Emma   emma@kwgroup.uk   AGENT   ✓ On  Active   20/05/26      |
| Jamie  jamie@kwgroup.uk  AGENT   —     Active   12/05/26      |
| Pat    pat@kwgroup.uk    AGENT   —     Inactive —             |
+--------------------------------------------------------------+

📷 Screenshot placeholder: screenshots/users-list.png

Adding a user

/admin/users/invite has two modes — pick the tab at the top of the form.

✉️ Send invite

The traditional flow. Enter:

1. Email (must be unique).
2. Role — Agent, Manager, Admin, or Contractor / Vendor.
3. (When the multi-tenant feature is on) Pick the tenant.

Click Send invitation. The platform creates a tokenised invitation link, e-mails it to the user, and displays the same link on screen so you can copy and share it directly. The user opens the link, lands on the accept-invitation page, and sets their own name + password. Invitation links expire after 7 days.

⚡ Create now

Skip the email round-trip. Useful when:

• You're onboarding someone in a meeting and want them logged in by the end of the call.
• The user can't receive email yet (mailbox not provisioned, domain not cut over).
• You're seeding a service account.

Enter email, name, role, password (≥ 8 chars), and optionally job title / office address / notes. The account is usable immediately — the user can sign in with the password you set. Tell them to change it on first login from Profile → Security.

⚠️ Caution. Passwords set this way travel through your TLS session and are bcrypted server-side. Don't paste them into chat or ticket replies after creation — share them via Vault or a one-time link tool instead.

Editing a user

Click Edit on any user row to open the edit form. From here you can:

• Change the full name.
• Change the role.
• Review read-only status fields (active/inactive, MFA enabled, joined date, last login).

If you are a SUPER_ADMIN, a second Tenant memberships panel lets you tick which tenants the user belongs to and choose their default (landing) tenant.

To remove access, use Deactivate on the user list — this clears their access immediately. There is no in-UI hard-delete or per-user 2FA force-reset on the edit form today.

Roles

There are six platform roles:

Role	What they can do
SUPER_ADMIN	Everything, including tenant memberships and cross-tenant management.
ADMIN	Administer the platform: users, settings, integrations, tenants.
MANAGER	Elevated staff; can reach the Users list.
AGENT	Standard staff member.
CUSTOMER	Customer self-service access.
VENDOR	Contractor / vendor portal access.

A user has one role; it is stored on the user record.

Shadow memberships

When a tenant is created, every active user whose primary org is the admin tenancy is automatically given a shadow membership in the new tenant: they can switch into it and operate, but don't appear in that tenant's user list. This is how an MSP's staff serve customer tenancies without showing up in the customer's directory. Shadow memberships are seeded automatically — there is no manual "add shadow membership" button on the user edit form.

2FA

Two-factor authentication is opt-in for every role, including admins — the platform does not currently force admins to enable it. A user sets up 2FA themselves from Account settings (/profile/settings). The platform does not issue printable recovery codes, so if a user loses their authenticator an administrator must reset 2FA on the back end.

Audit log

/admin/audit

Every write to a sensitive module is captured here. Each row records the actor, timestamp, action, resource type, resource ID, and the IP address. The top of the page shows 24-hour stats: events, active users, and the top action.

+--------------------------------------------------------------+
| Events (24h): 38   Users active (24h): 6   Top action: update|
|--------------------------------------------------------------|
| When         User              Action  Resource  ID    IP    |
| 28/04 09:30  Mitch (mitch@…)    update  ticket    142   …   ▶ |
| 28/04 09:28  Emma  (emma@…)     create  project   SNAG… …     |
+--------------------------------------------------------------+

📷 Screenshot placeholder: screenshots/audit.png

Filters: a free-text search (action / resource / IP) plus dropdowns for action and resource type. Rows that carry extra detail expand to show the recorded metadata as a JSON blob.

Common workflows

Add a new staff member

1. Users → Invite user.
2. Role = Agent. (When multi-tenant is on, pick the tenant.)
3. Send invite — share the link with them; they set their own password.
4. Optionally also add them to People for HR data.

Promote to admin

• Edit user → Role = Admin → Save changes.
• Ask them to enable 2FA from Account settings — admins are not forced into it automatically.

Lock out a leaver

• On the user list, Deactivate them — access is removed immediately.
• Rotate any vault items they had access to.

Audit a specific action

• Audit log → filter by user → time range.
• Click any entry to see the recorded before/after state.

See also

• Tenants — multi-tenant memberships
• Customers & people — different from users